GDPR Rights and Data Protection

1. Data Controller Information

Fraser Peak Outdoor Adventures acts as the data controller for personal information collected through our services and website.

2. Your GDPR Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

Right of Access (Article 15)

You have the right to:

• Confirm whether we process your personal data
• Access your personal data we hold
• Receive information about how we process your data
• Obtain details about data sharing with third parties
• Know the retention period for your data
• Understand your rights and how to exercise them

Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data
• Update outdated information
• Amend misleading data

Right to Erasure - "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for original purpose
• You withdraw consent and no other legal basis exists
• You object to processing and no overriding legitimate interests exist
• Data has been unlawfully processed
• Deletion is required for legal compliance
• Data was collected from a child without proper consent

Right to Restrict Processing (Article 18)

You can request restriction of processing when:

• You contest the accuracy of personal data
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

Right to Data Portability (Article 20)

You have the right to:

• Receive your personal data in a structured, machine-readable format
• Transmit data to another controller without hindrance
• Have data transmitted directly to another controller where technically feasible

Right to Object (Article 21)

You have the right to object to processing based on:

• Legitimate interests (including profiling)
• Direct marketing purposes
• Scientific, historical research or statistical purposes

Rights Related to Automated Decision-Making (Article 22)

You have the right to:

• Not be subject to automated decision-making
• Obtain human intervention in automated processes
• Express your point of view
• Contest automated decisions

3. How to Exercise Your Rights

Making a Request

To exercise your GDPR rights, please contact us using the following methods:

• Email: support@qutipams.com with "GDPR Request" in subject line
• Written request to: 156 Forth Street, Invercargill 9810, New Zealand
• Phone: +64-3-218-9000 (reference GDPR rights)

Information Required

To process your request efficiently, please provide:

• Full name and contact information
• Specific right you wish to exercise
• Details of personal data concerned (if applicable)
• Proof of identity (copy of ID document)
• Reason for request (if required by law)

Response Timeframe

• Initial acknowledgment within 72 hours
• Full response within 1 month of receipt
• Extension to 3 months for complex requests
• Notification of any delays with reasons

4. Consent Management

Withdrawing Consent

Where processing is based on consent, you can withdraw it at any time:

• Email unsubscribe links for marketing communications
• Cookie preference settings on our website
• Contact us directly to withdraw specific consents
• Account settings for registered users

Marketing Communications

You can opt out of marketing communications by:

• Clicking unsubscribe links in emails
• Updating your communication preferences
• Contacting customer support
• Adjusting account settings

Cookie Management

Manage cookies through:

• Cookie banner preferences on first visit
• Browser settings and preferences
• Third-party cookie management tools
• Contact us for assistance

5. Data Processing Lawful Bases

Consent (Article 6(1)(a))

• Marketing communications
• Optional data collection
• Cookies and tracking (non-essential)
• Newsletter subscriptions

Contract Performance (Article 6(1)(b))

• Booking processing and management
• Service delivery
• Payment processing
• Customer support

Legal Obligation (Article 6(1)(c))

• Tax and accounting requirements
• Safety and regulatory compliance
• Anti-money laundering checks
• Health and safety records

Legitimate Interests (Article 6(1)(f))

• Website security and fraud prevention
• Business development and improvement
• Analytics and performance monitoring
• Customer relationship management

6. International Data Transfers

Transfer Safeguards

When transferring data outside the EEA, we ensure adequate protection through:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Certification schemes and codes of conduct

Third Country Transfers

We may transfer data to:

• New Zealand (adequacy decision)
• United States (with appropriate safeguards)
• Other countries with adequate protection measures

7. Data Retention Periods

Customer Data

• Active customer accounts: Duration of relationship plus 7 years
• Booking records: 7 years after service completion
• Payment information: 7 years for tax compliance
• Medical information: 7 years after last service

Marketing Data

• Email marketing: Until unsubscribe or 3 years of inactivity
• Website analytics: 26 months maximum
• Cookie data: As specified in cookie policy

Legal and Safety Data

• Incident reports: 10 years minimum
• Safety certifications: Duration of validity plus 3 years
• Insurance records: 7 years after policy expiration

8. Data Subject Rights Limitations

In certain circumstances, we may be unable to fully comply with your rights request due to:

Legal Obligations

• Tax and accounting record requirements
• Safety and regulatory compliance
• Court orders and legal proceedings
• Law enforcement requests

Legitimate Interests

• Fraud prevention and detection
• Security incident investigation
• Protection of other individuals' rights
• Freedom of expression and information

Technical Limitations

• Backup systems and archived data
• Pseudonymized or anonymized data
• Third-party system constraints
• Disproportionate effort requirements

9. Complaints and Supervisory Authorities

Internal Complaints Process

If you are not satisfied with our response to your GDPR request:

1. Contact our Data Protection Officer at contact@qutipams.com
2. Escalate to senior management if necessary
3. Request internal review of the decision
4. Seek mediation through recognized dispute resolution service

Supervisory Authority Complaints

You have the right to lodge a complaint with relevant supervisory authorities:

EU/EEA Residents

• Your local data protection authority
• The authority in the country where the alleged violation occurred
• The authority where Fraser Peak has its main establishment

New Zealand Residents

• New Zealand Privacy Commissioner
• Website: privacy.org.nz
• Phone: 0800 803 909

10. Data Breach Notification

Our Obligations

In case of a personal data breach, we will:

• Notify relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay if high risk
• Document all breaches and response measures
• Implement measures to address the breach

Individual Notification

We will notify you directly if a breach:

• Poses high risk to your rights and freedoms
• Involves sensitive personal data
• Could result in identity theft or fraud
• May cause significant harm or distress

11. Updates to GDPR Information

We may update this GDPR information to reflect changes in:

• Data protection laws and regulations
• Our data processing practices
• Supervisory authority guidance
• Business operations and services

Updates will be posted on our website with the revision date. Significant changes will be communicated directly to affected individuals.

12. Contact Information

For any GDPR-related questions or to exercise your rights, please contact us: